Cybersecurity Essentials - Module 25 Cheat Sheet

# Module 25: Endpoint Vulnerability Assessment :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### **25.1 Network and Server Profiling** #### **25.1.1 Network Profiling** Network profiling involves understanding and analyzing normal network behavior to detect deviations that may indicate a security breach. The statistical baseline provides a reference point for normal operations. - **Key Points**: - Capture current and accurate baseline data over extended periods. - Tools: **NetFlow** and **Wireshark**. - Deviations like increased WAN usage, unusual ports, or unexpected host-to-host communication can indicate malware activity. - User profiling tools like **AAA logs** and **Cisco Identity Services Engine (ISE)** help identify abnormal user behavior. **Network Profile Elements**: | **Network Profile Element** | **Description** | |----------------------------------|---------------------------------------------------------------------------------| | **Session duration** | Time between the establishment and termination of a data flow. | | **Total throughput** | Amount of data passing from source to destination within a given time period. | | **Ports used** | List of TCP or UDP processes available to accept data. | | **Critical asset address space** | IP addresses or logical location of essential systems or data. | --- #### **25.1.2 Server Profiling** Server profiling establishes a security baseline for servers, defining operating parameters for network, users, and applications. A baseline ensures that any deviations can be flagged as potential compromises. **Server Profile Elements**: | **Server Profile Element** | **Description** | |----------------------------------|---------------------------------------------------------------------------------| | **Listening ports** | TCP and UDP daemons and ports allowed to be open on the server. | | **Logged in users and accounts** | Parameters defining user access and behavior. | | **Service accounts** | Definitions of services an application is allowed to run. | | **Software environment** | Tasks, processes, and applications permitted to run on the server. | --- #### **25.1.3 Network Anomaly Detection** Network anomaly detection analyzes diverse network data using **statistical** and **rule-based** methods to detect deviations and potential compromises. - **Techniques**: - **Network Behavior Analysis (NBA)**: Uses statistical and machine learning techniques to compare baselines with current behavior. - **Rule-based Detection**: Analyzes decoded packets based on predefined attack patterns. **Example Algorithm for Anomaly Detection**: - Every X minutes, sample network flows. - If the number of flows exceeds N during a defined Z seconds, raise an **alarm**. | Example Values | Description | |----------------|--------------------------------------------------| | **X = 5** | Sample every 5th minute. | | **Y = 100** | Sampling rate: 1/100 of flows. | | **Z = 30** | Monitor network flows for 30 seconds. | | **N = 500** | Threshold: If >500 flows, generate an alarm. | --- #### **25.1.4 Network Vulnerability Testing** Vulnerability testing ensures organizations secure their internet-facing services and internal networks. Testing identifies weaknesses and potential exploits. **Types of Network Security Testing Activities**: | **Activity** | **Description** | **Tools** | |---------------------------|---------------------------------------------------------------------------------|-------------------------------------------------------------------| | **Risk Analysis** | Analyze risks and impacts of attacks on core company assets and functioning. | Internal/external consultants, risk management frameworks. | | **Vulnerability Assessment** | Scan for vulnerabilities like missing patches, unnecessary ports, etc. | OpenVAS, Nessus, Microsoft Baseline Analyzer, Qualys, Nmap. | | **Penetration Testing** | Simulated attacks to identify and exploit vulnerabilities for impact assessment. | Metasploit, CORE Impact, ethical hackers. | :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/23-1-5-check-your-understanding-identify-the-elements-of-network-profiling-answers.html). ::: >[!Warning]Recap >It is important to perform network and device profiling to provide statistical baseline information that can serve as a reference point for normal network and device performance. Important elements of the network profile include session duration, total throughput, ports used and critical asset address space. Server profiling is used to establish the accepted operating state of servers. A server profile is a security baseline for a given server. It establishes the network, user, and application parameters that are accepted for a specific server. Network behavior is described by a large amount of diverse data such as the features of packet flow, features of the packets themselves, and telemetry from multiple sources. Big data analytics can be used to perform statistical, behavioral, and rule-based anomaly detection. > >Network security can be evaluated using a variety of tools and services. Risk analysis is the evaluation of the risk posed by vulnerabilities to a specific organization. Vulnerability assessment uses software to scan Internet-facing servers and internal networks for various types of vulnerabilities. Penetration testing uses authorized simulated attacks to test the strength of network security. ### 25.2 Common Vulnerability Scoring System (CVSS) --- #### 25.2.1 **CVSS Overview** - **Definition**: A risk assessment tool that measures the severity of vulnerabilities in hardware and software systems. - **Purpose**: - Standardizes vulnerability scoring for consistency across organizations. - Provides an open framework with transparency for each metric. - Helps prioritize risks meaningfully for individual organizations. - **Versions**: CVSS 3.0 (current as of June 2019), managed by **FIRST**. - **Components**: - **Base Metric Group** - **Temporal Metric Group** - **Environmental Metric Group** --- #### 25.2.2 **CVSS Metric Groups** The CVSS includes **three metric groups** to assess vulnerabilities: ![image](https://hackmd.io/_uploads/S1zuyOnV1g.png) 1. **Base Metric Group**: Characteristics of a vulnerability that are constant across time and contexts. - **Exploitability Metrics**: Focus on how a vulnerability can be exploited. - **Impact Metrics**: Relate to the **CIA Triad**: Confidentiality, Integrity, and Availability. - **Scope**: Indicates changes in authority due to exploitation. 2. **Temporal Metric Group**: Measures characteristics that change over time, such as: - **Exploit Code Maturity** - **Remediation Level** - **Report Confidence** 3. **Environmental Metric Group**: Tailors vulnerability severity to the user’s specific environment: - Adjusts confidentiality, integrity, and availability requirements. - Includes **Modified Base Metrics** for fine-tuning. --- #### 25.2.3 **Base Metric Group: Exploitability and Impact Metrics** **Exploitability Metrics** | **Criteria** | **Description** | |--------------------------|-------------------------------------------------------------------------------| | **Attack Vector** | Proximity of the threat actor to the vulnerable component (e.g., Network, Adjacent). | | **Attack Complexity** | Measures external conditions beyond the attacker’s control. | | **Privileges Required** | Captures the level of access required for a successful exploit. | | **User Interaction** | Indicates whether user action is required for the exploit. | | **Scope** | Expresses whether the exploit changes the authority to another system. | **Impact Metrics** | **Term** | **Description** | |---------------------------|-------------------------------------------------------------------------------------| | **Confidentiality Impact** | Measures the impact on limiting access to authorized users. | | **Integrity Impact** | Measures the trustworthiness and authenticity of information. | | **Availability Impact** | Measures accessibility to resources (e.g., bandwidth, disk space, processor cycles).| --- #### 25.2.4 **CVSS Scoring Process** 1. **Base Metrics Assessment**: - Use the **CVSS v3.1 Calculator** (available at FIRST.org). - Generate a **Base Score** based on exploitability and impact. 2. **Temporal Metrics**: - Adjust Base Score over time (e.g., with patches or improved threat intelligence). 3. **Environmental Metrics**: - Tailor the score based on the organization’s unique requirements (e.g., confidentiality, integrity, availability priorities). ![image](https://hackmd.io/_uploads/HJvkednEkl.png) **Base Metric Key** | **Metric Name** | **Initials** | **Possible Values** | **Values** | |--------------------------|--------------|--------------------------------|------------------------------------| | **Attack Vector** | AV | [N, A, L, P] | N = Network, A = Adjacent, L = Local, P = Physical | | **Attack Complexity** | AC | [L, H] | L = Low, H = High | | **Privileges Required** | PR | [N, L, H] | N = None, L = Low, H = High | | **User Interaction** | UI | [N, R] | N = None, R = Required | | **Scope** | S | [U, C] | U = Unchanged, C = Changed | | **Confidentiality Impact**| C | [H, L, N] | H = High, L = Low, N = None | | **Integrity Impact** | I | [H, L, N] | H = High, L = Low, N = None | | **Availability Impact** | A | [H, L, N] | H = High, L = Low, N = None | **Example Base Metric Group Vector String**: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N` --- #### 25.2.5 **CVSS Reports** - **Score Ranges** and their qualitative meaning: | **Rating** | **CVSS Score** | |--------------|----------------| | **None** | 0 | | **Low** | 0.1 – 3.9 | | **Medium** | 4.0 – 6.9 | | **High** | 7.0 – 8.9 | | **Critical** | 9.0 – 10.0 | - **Use**: - Base and Temporal scores are typically supplied by **vendors**. - Organizations complete the **Environmental Metrics** to contextualize the score. - **Threshold**: Vulnerabilities >3.9 should be addressed immediately, with higher scores requiring greater urgency. --- #### 25.2.6 **Other Vulnerability Information Sources** 1. **Common Vulnerabilities and Exposures (CVE)**: - Maintained by **MITRE**. - Provides standard identifiers for known vulnerabilities. - Links to fixes, threat intelligence, and security logs. 2. **National Vulnerability Database (NVD)**: - Maintained by **NIST**. - Provides additional information like CVSS threat scores, technical details, and affected systems. These systems work together with CVSS to deliver a comprehensive vulnerability assessment. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/23-2-7-check-your-understanding-identify-cvss-metrics-answers.html). ::: >[!Warning]Recap >The Common Vulnerability Scoring System (CVSS) is a vendor-neutral, industry standard, open framework for rating the risks of a given vulnerability by using a variety of metrics to calculate a composite score. CVSS produces standardized vulnerability scores that should be meaningful across organizations. It is an open framework with the meaning of each metric openly available to all users. It allows prioritization of risk in a way that is meaningful to individual organizations. CVSS uses three groups of metrics to assess vulnerability. The metric groups are the base metric group, the temporal metric group, and the environmental metric group. The base metric group is designed as a way to assess security vulnerabilities that are found in software and hardware systems. > >Vulnerabilities are rated according to the attack vector, attack complexity, privileges required, user interaction, and scope. The temporal and environmental groups modify the base metric score according to the history of the vulnerability and the context of the specific organization. A CVSS calculator tool is available on the FIRST website. The CVSS calculator yields a number that describes the severity of the risk that is posed by the vulnerability. Scores range from zero to ten. Ranges of scores have qualitative values of none, low, medium, high, or critical risk. In general, any vulnerability that exceeds 3.9 should be addressed. The higher the rating level, the greater the urgency for remediation. Other important vulnerability information sources include Common Vulnerabilities and Exposures (CVE) and the National Vulnerability Database (NVD), both of which are available online. ### 25.3 Secure Device Management --- #### **25.3.1 Risk Management** - **Definition**: Selection and specification of security controls to manage risks to an organization. - **Risk Management Process**: 1. **Risk Identification**: Identify assets, vulnerabilities, threats. 2. **Risk Assessment**: Score, weigh, prioritize risks. 3. **Risk Response Planning**: Determine responses, plan actions. 4. **Response Implementation**: Implement planned responses. 5. **Monitor and Assess Results**: Continuously monitor risks and evaluate responses. ![image](https://hackmd.io/_uploads/rkE_0w3Nye.png) - **Key Questions for Risk Assessment**: - Who are the threat actors? - What vulnerabilities exist? - How would attacks affect us? - Likelihood of attacks occurring? - **Risk Response Strategies**: | **Risk** | **Description** | |----------------------|---------------------------------------------------------------------------------------------------------------------------| | **Risk avoidance** | Stop performing risky activities. | | **Risk reduction** | Take measures to reduce vulnerability (e.g., patch systems frequently targeted by threat actors). | | **Risk sharing** | Share risk with third parties (e.g., outsourcing security, buying insurance). | | **Risk retention** | Accept risk, particularly if the impact is low or the cost of mitigation is too high. | :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/23-3-2-check-your-understanding-identify-the-risk-response-answers.html). ::: --- #### **25.3.3 Vulnerability Management** - **Definition**: A proactive process to reduce or eliminate IT vulnerabilities and mitigate exploitation risks. - **Vulnerability Management Lifecycle**: 1. **Discover**: Inventory assets, identify vulnerabilities, and establish a baseline. 2. **Prioritize Assets**: Categorize assets based on criticality. 3. **Assess**: Determine baseline risk profiles. 4. **Report**: Measure risk, document vulnerabilities, and monitor suspicious activity. 5. **Remediate**: Prioritize and address vulnerabilities based on risk. 6. **Verify**: Follow-up audits to confirm elimination of threats. --- #### **25.3.4 Asset Management** - **Definition**: Tracks the location, configuration, and status of networked devices and software. - **NIST Guidelines**: - **Automated discovery** and inventory. - **Desired state definition** using policies. - Identify and correct non-compliant assets. - Repeat process regularly. **Process Overview**: ![image](https://hackmd.io/_uploads/ryoCCPh4ke.png) --- #### **25.3.5 Mobile Device Management (MDM)** - **Challenges**: Mobile devices can be lost, stolen, or tampered with. - **MDM Solutions**: - Disable lost devices. - Encrypt data on mobile devices. - Implement strong authentication. - **Example Tool**: Cisco Meraki Systems Manager manages and secures diverse mobile clients. --- #### **25.3.6 Configuration Management** - **Definition**: Inventory and control of hardware/software configurations to ensure secure baseline states. - **Benefits**: - Reduces attack surface. - Controls software, hardware, and user access. - **NIST Guidance**: - Maintain configuration integrity through control processes. - Tools like **Puppet**, **Chef**, **Ansible**, and **SaltStack** simplify managing servers in virtual/cloud environments. --- #### **25.3.7 Enterprise Patch Management** - **Definition**: Identifies, acquires, distributes, installs, and verifies patches to address software vulnerabilities. - **Compliance Regulations**: Required by SOX, HIPAA, etc. - **Tools**: - **SolarWinds**, **LANDesk**, Microsoft **SCCM**. --- #### **25.3.8 Patch Management Techniques** | **Technique** | **Description** | |---------------------------|---------------------------------------------------------------------------------------------------| | **Agent-based** | Software agent on each host reports status, installs patches, and verifies patch compliance. | | **Agentless Scanning** | Server scans network devices, determines required patches, and deploys them. | | **Passive Network Monitoring** | Monitors traffic to identify software versions and deploys patches as needed. | :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/23-3-9-check-your-understanding-identify-device-management-activities-answers.html#:~:text=Which%20management%20activity%20is%20the,by%20some%20security%20compliance%20regulations%3F&text=Explanation%3A%20Enterprise%20patch%20management%20is,2.). ::: >[!Warning]Recap >Risk management involves the selection and specification of security controls for an organization. There are four potential ways to respond to risks, Risk avoidance means discontinuing the vulnerable activity, system, or service because the risk is too high. Risk reduction means taking measures to mitigate the risk in order to limit its impact. Risk sharing means outsourcing responsibility for the risk or using insurance to cover damages caused by the risk. Risk retention means accepting the risk and taking no action. > >Vulnerability management is a security practice that is designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The vulnerability management life cycle involves six steps: discover, prioritize assets, assess, report, remediate, and verify. Asset management involves the implementation of systems that track the location and configuration of networked devices and software across an enterprise. Mobile device management (MDM) systems allow security personnel to configure, monitor and update a very diverse set of mobile clients from the cloud. Configuration management addresses the inventory and control of hardware and software configurations of systems. Patch management is related to vulnerability management and involves all aspects of software patching, including acquiring, distributing, installing, and verifying patches. Patch management is required by some compliance regulations. There are different patch management techniques such as agent-based, agentless scanning, and passive network monitoring.